By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

According to a Symantec DeepSight threat management service advisory, the problem surfaces when QuickTime attempts to handle URIs in the 'qtnext' field in .qtl files. "When attempting to handle specially-crafted .qtl files, arbitrary applications on the victim's computer may be launched with attacker-controlled command-line arguments," the advisory said. "Successfully exploiting this issue facilitates the remote compromise of affected computers."

Apple said in its QuickTime 7.2 security advisory: "A command injection issue exists in QuickTime's handling of URLs in the qtnext field in QTL files. By enticing a user to open a specially crafted .qtl file, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved handling of URLs. This issue does not affect Mac OS X."

This is the second time Apple has tried to close the QuickTime security hole. Apple tried to address the problem earlier this year in the release of QuickTime 7.1.5, but the fix fell short. Researches Petko D. Petkov and Aviv Raff released proof-of-concept exploits to demonstrate how QuickTime was still vulnerable to attack.

E-Handbook

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy